Continuous-variable quantum cryptography 
is secure against non-gaussian attacks 
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A general study of arbitrary finite-size coherent attacks against continuous-variable quantum 
cryptographic schemes is presented. It is shown that, if the size of the blocks that can be coherently 
attacked by an eavesdropper is fixed and much smaller than the key size, then the optimal attack for 
a given signal-to-noise ratio in the transmission line is an individual gaussian attack. Consequently, 
non-gaussian coherent attacks do not need to be considered in the security analysis of such quantum 
cryptosystems. 
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Continuous-variable quantum information theory has 
attracted a rapidly increasing interest over the past few 
years (see, e.g., yj). In this context, several quantum 
key distribution (QKD) schemes based on the exchange 
of continuous key carriers have been proposed (see, e.g., 
0)- In particular, several schemes based on the contin- 
uous modulation of coherent or squeezed states of light 
supplemented with homodyne detection have been shown 
to be particularly efficient for distributing secret keys at 
high repetition rates 0, • An experimental demonstra- 
tion of key distribution based on a gaussian modulation 
of coherent states was recently provided in [f| . 

In this Letter, we prove that given the estimated co- 
variance matrix of Alice's and Bob's data, the optimal 
finite-size coherent attack reduces to an individual gaus- 
sian attack characterized by this covariance matrix. This 
result fundamentally originates from the property that 
the distribution maximizing its Shannon entropy for a 
given variance is a gaussian distribution. This, com- 
bined with an entropic uncertainty relation, implies that 
is is sufficient to check the security of such cryptosystems 
against the restricted class of gaussian attacks. In other 
words, the best strategy for Eve is to apply sequentially, 
on each key element, a gaussian cloning machine |fj or 
an entangling gaussian cloning machine |jj depending on 
the exact protocol used. Another consequence is that, in 
order to maximize the resulting secret key rate via the 
gaussian channel induced by Eve's attack, Alice should 
modulate her data with a gaussian distribution. 

The security proof presented here is valid for all 
continuous-variable QKD schemes where Alice and Bob 
monitor the transmission line via the second-order mo- 
ments of their data, which includes all the protocols con- 
sidered in our previous papers [s& U, |l| . Note, however, 
that this excludes the alternative protocol based on post- 
selection as presented in || . Our proof covers all possible 
(including coherent) attacks that an eavesdropper may 
apply on finite-size blocks of key elements. The block 
size may be arbitrary, but it must be much smaller than 



the key size, so that the key is made out of a large number 
of independent blocks and statistical arguments therefore 
warrant the use of information theory in the proof. The 
unconditional security of squeezed-state QKD against co- 
herent attacks is currently proven if the squeezing exceeds 
some threshold , while such a proof for coherent-state 
QKD is the topic of a separate study 

Squeezed state protocols. Let us first investigate the 
security of gaussian-modulated squeezed-state protocols 
|2(. Alice chooses a quadrature (q or p) at random and 
sends Bob a displaced squeezed state, where the squeez- 
ing and displacement are applied on the chosen quadra- 
ture while the value of the displacement is gaussian dis- 
tributed. After transmission via the quantum channel, 
which may be controlled by Eve, Bob then measures q 
or p at random. After disclosing the quadrature they 
used, Alice and Bob discard their data when the quadra- 
tures differ, while the rest is used to make a secret key 
0, 0] . We will in fact consider equivalent entanglement- 
based protocols 4] , where Alice prepares a two- mode vac- 
uum squeezed state, measures a quadrature of one of the 
beams and sends the other beam to Bob. Alice and Bob 
iterate these actions n times, while we assume that Eve is 
able to apply some arbitrary joint operation on this block 
of n pulses. In order to acquire accurate statistics, Alice 
and Bob repeat this protocol L times (with L ^> 1), that 
is, they exchange L blocks of n pulses in total. In our 
security analysis below, we will apply information theory 
at the level of blocks, which is justified since L 3> 1. 

We model Eve's attack by considering that Alice, Bob, 
and Eve share a pure tripartite entangled state (see 
Fig. Alice's (resp. Bob's) part of the state is a set of 
n modes, denoted by A (resp. B). The unknown physi- 
cal system kept by Eve is denoted by E. The joint state 
is pure since we must assume that Eve is able to control 
the environment, thereby to purify the state. We also 
suppose that Bob always measures the same quadrature 
Q as Alice (Q — q or p) . This requires the availability of 
a quantum memory (Bob delays his measurement until 
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FIG. 1: Equivalent entanglement-based QKD proto- 
col. The twin beams of an EPR-source (*) are sent to ho- 
modyne detectors at Alice's (left) and Bob's (right) side. In 
the analogue of the squeezed-state protocol, the beam-splitter 
and the dashed lines are omitted, so Alice only measures one 
quadrature (Qa' = Qa). In the analogue of the coherent- 
state protocol, the beam-splitter is used by Alice to measure 
Q A ' and P A ' simultaneously |13jl . 



Alice discloses the quadrature she used). In a more real- 
istic scheme where Alice and Bob independently choose 
their quadrature q or p at random, they agree only half 
of the time, which simply leads to a factor 1/2 in the 
information rates computed below. 

Information Rates. The mutual information between 
Alice's and Bob's data is 

J(B; A) = /(Qb; Qa) = H(Q B ) - #(Qb|Qa), (1) 

where Qa (resp. Qb) is the random vector of Alice's 
(resp. Bob's) measured quadratures on a block of n 
pulses, while H(-) [resp. denotes the Shannon en- 

tropy (resp. conditional entropy) for continuous random 
variables. We focus our attention on reverse reconcili- 
ation protocols 0, 0> m which Bob's data are used to 
make the key instead of Alice's data (direct reconcilia- 
tion). Then, Eve tries to get the maximum information 
on Bob's measurement outcomes Qb through a measure- 
ment of her ancilla E (we denote Eve's ancilla and her 
measurement outcomes by the same symbol E). Eve's 
information is 

I(B; E) = I(Q n ;E) = H(Q B ) - H(Q B \E). (2) 

The secret key rate Alice and Bob are guaranteed to be 
able to distill by reverse reconciliation is 0, 0] 



AI = I(B;A) - I(B;E) 

= H(Q B \E) - #(Q b |Qa)- 



(3) 



Alice and Bob can, in principle, estimate -H^QbIQa) 
with arbitrary precision since they have access to L joint 
realizations of the random vectors Q a and Qb • To lower 
bound Eve's uncertainty on the key H(Q B \E), they can 
use the entropic uncertainty relation that applies to the 
two sets of conjugate quadratures Qb and Pb 0,0]- 
Indeed, we know that by measuring their systems, Alice 
and Eve project Eve's system onto a pure state since the 
three of them share a joint pure state. Thus, condition- 
ally on Alice's and Eve's measurements Pa and E, the 
pure state held by Bob must satisfy the entropic inequal- 
ity 



where Hq is the entropy of a quadrature of the vacuum 
state for an harmonic oscillator. This inequality then 
allows us to lower bound the accessible secret key rate 
regardless the action of Eve, namely 



AI > AI„ 



2nH Q -H(Q B \Cl A )~H(P Ii \P A ). (5) 



It is worth stressing that the random vectors Pa 
and Pb denote the quadratures that could have been 
measured (the measured quadratures are Qa and Qb)- 
These quadratures are, of course, not directly accessi- 
ble, but we only need their statistical distribution here 
in order to upper bound Eve's information. This distri- 
bution can be estimated from the other pulses for which 
the measured quadrature is the same as Pa and Pb • For 
simplicity, we assume that the two physical quadratures q 
and p are both chosen with probability 1/2. This implies 
that Qa and Pa play fully identical roles so they can 
be treated completely symmetrically (the same is true 
for Qb and Pb). We insist on that this symmetry is 
not a limitation on Eve's possible actions. Even if Eve 
has a quantum memory and acts differently on the phys- 
ical quadratures q and p (after the selected quadrature 
is disclosed), each of them has an equal probability to 
be a measured (Qa and Qb) or an unmeasured (Pa 
and Pb) quadrature. Since Eve has no way of guessing 
which physical quadrature is used, this symmetry im- 
poses #(Qb|Qa) = #(P b |Pa) = H(B\A), where we 
now use A and B as a shorthand notation for Qa and 
Qb (or Pa and Pb). Therefore 



AJ min = 2(nH - H(B\A)). 



(6) 



Since Alice and Bob can evaluate H(B\A) by statistical 
sampling, they get an estimate of A/ m j n and can use 
relevant algorithms to extract a secret key with at least 
this rate jjJUiJ]- 

Individual attacks are optimal. We first prove that Al- 
ice and Bob can lower bound A/ m j n simply by assuming 
that Eve performs an individual attack. Let A, (resp. 
Bi) be the ith component of the random vector A (resp. 
B). The subadditivity of Shannon entropy implies that 



ff(B|A)<X;^i|A), 



(7) 



while each term of the summation can be bounded by 
use of the strong subadditivity of the entropy, namely 



H{B t \A) = H{Bi\A\, . . .,A n ) < H{B i \Ai) i (8) 



so that 



H{B\A)<^2H(Bi\Ai). 



(9) 



H(Q B \E) + F(P b |Pa) > 2nH , 



(4) 



We now consider the average joint distribution of Al- 
ice's and Bob's measurement outcomes (averaged over 
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the block of size n). Suppose that A and B are dis- 
tributed according to a mixture of the A^s and B^s, 
with the index i being randomly drawn from a uniform 
distribution, that is 

V(A = a,B = b) = -y VUi = a, B l = b), Vo, b. 

(10) 

Then, the strong subadditivity of entropies implies that 

H(B l \A l )=H(B\A,i)<H(B\A), (11) 

so that Eq. JJjJ transforms into 

H(B\A) < nH(B\A). (12) 

Finally, using Eq. JBJ), one gets 

A7 min > 2n{H Q - H{B\A)). (13) 

This means that, to be safe against finite-size coherent 
attacks, Alice and Bob only need to evaluate H(B\A), a 
conditional entropy for a distribution in R 2 , instead of 
-ff(B|A), a conditional entropy for a distribution in R 2 ™. 

To better understand this conclusion, assume that Eve 
applies a coherent attack which induces correlations be- 
tween the various components of A and B inside each 
block. These correlations force Eve to induce a kind of 
structure in Alice's and Bob's data, which would not be 
present for individual attacks, so Eve is actually limiting 
herself. Overlooking these correlations and considering 
individual attacks only may be suboptimal for Alice and 
Bob when estimating A/ m j n , but it guarantees they are 
on the safe side. 

Gaussian attacks are optimal. Now, we prove that 
H{B\A) can be upper bounded simply by measuring the 
covariance matrix K of variables A and _B, 



K 



{A 2 ) (AB) 
(AB) (B 2 ) 



(14) 



which is much easier than estimating H{B\A). To sim- 
plify the notations, we will assume that (A) = (B) = 
(in practice, this should be checked and possibly cor- 
rected by applying the adequate shift). For a given K, if 
Alice knows A, her linear estimate of B that minimizes 
the error variance is given by vffl A. Denoting by 5B 
the error of this best linear estimate, 



we have 



H(B\A) = H(SB\A) < H(SB). 



(15) 



(16) 



where we have used the translation invariance and the 
subadditivity of Shannon entropy. Since the gaussian dis- 
tribution has the maximum entropy for a given variance, 
one has 



where Hg(SB) is the entropy of a gaussian distribution 
having the variance (SB 2 ) = (B 2 ) - (AB) 2 /(A 2 ). In 
the case where A and B are drawn from an equivalent 
bivariate Gaussian distribution with the same covariance 
matrix K as the observed distribution, we note that SB 
and A become uncorrelated, so that 



H g (SB) = Hg(SB\A) 



(18) 



Chaining Eqs. Ijltjfl to l|18|) and using the translation in- 
variance of entropy, one obtains 



H(B\A) < Hg(B\A), 
which, combined with Eq. (|13fl . yields 

AI mln > 2n(H -H g (B\A)). 



(19) 



(20) 



Finally, the conditional entropy Hg(B\A) of a bivariate 
gaussian distribution being a simple function of K, one 
obtain the central result of this paper, 



A/ min > n log 



An 



(SB 



(21) 



H{5B) <Hg(SB), 



(17) 



where Nq represents the vacuum variance. This expres- 
sion coincides with the one found when limiting Eve to 
gaussian individual attacks 0, 0|. Therefore, the opti- 
mal attack given the observed covariance matrix K is a 
gaussian individual attack as described in [{J 0, El ■ 

The optimality of gaussian attacks can be interpreted 
almost alike the optimality of individual attacks : since 
the gaussian distribution has the maximal entropy, non- 
gaussian attacks are more structured than gaussian ones 
for a same added noise variance, so Eve is more restricted. 
Therefore, if Alice and Bob only monitor the covariance 
matrix K, they can safely assume that Eve uses gaussian 
attacks. If Eve indeed applies a gaussian attack, the best 
Alice and Bob can do is to use independent and gaussian- 
distributed key elements, which saturates all the involved 
inequalities, so that A/ m ; n is the highest. This justifies 
a posteriori the choice of gaussian-modulated QKD pro- 
tocols in 

Coherent state protocols. We now extend the proof 
to QKD protocols based on gaussian-modulated coherent 
states 0, 0, ■ We again exploit the property that these 
protocols are equivalent to some entanglement-based pro- 
tocols where Alice jointly measures q and p on her entan- 
gled beam while sending the other one to Bob 0| . The 
central point is that this "virtual entanglement," which 
may have existed between Alice and Bob, must be taken 
into account when bounding Eve's information even if the 
actual protocol makes no use of entanglement. We will 
denote by Qa' and Pa' the vectors of the two quadra- 
tures of the n beams kept by Alice and Qb the vector of 
the n quadratures measured by Bob (see Fig.^). The dif- 
ference with the previous scheme is that Alice attempts 
to measure simultaneously Qa' and Pa' through a 50:50 
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beam-splitter followed by two homodyne detectors. The 
measurement outcomes Qa and Pa suffer from added 
noise, while Alice never has access to the actual values 
Qa' and Pa'- The expression of -H^QbIQa) on ly de- 
pends on measured quantities so it can be statistically 
estimated as before, but the entropic uncertainty rela- 
tion used to bound H(Q&\E) now involves the physical 
beam on Alice's side, so one has 

H(Q B \E) + #(P b |Pa') > 2nH (22) 

Thus, the same reasoning as before now leads to 

A/ m i„ > n{2H - Hg{B\A) - Hg(B\A% (23) 

where Hg(B\A') is the conditional entropy of a gaussian 
distribution having the same covariance matrix K' than 
A' and B, which is 



K' 



(A' 2 ) (A'B) 
(A'B) (B 2 ) 



2((A 2 ) - N ) V2(AB) 
V2(AB) 



(24) 



One has therefore 



A/ min > n log 



N 



(25) 

which is exactly the same expression as in our previous 
papers 0, 0, E| , where the only considered attacks are 
gaussian individual attacks. 

Discussion. We extended to finite-size non-gaussian 
attacks the validity of the previous security proofs for 
continuous- variable QKD schemes when Eve's interven- 
tion is bounded via the measured added noise variance in 
the channel. Our proof focuses on the schemes based on 
reverse reconciliation since these are known to tolerate 
larger losses than the direct reconciliation-based proto- 
cols in the case of gaussian individual attacks. Adapting 
the proof to direct-reconciliation 0, or even other Q 
protocols will treated elsewhere. In the proof, we assume 
the protocol is ideal, that is, a perfect one-way reconcil- 
iation algorithm is available. However, realistic reconcil- 
iation protocols are imperfect [l(ij |: the number of corre- 
lated bits that can be extracted from Alice's and Bob's 
data never attains Shannon's limit I(B; A) and may be- 
come low if Eve's attack has an unexpected shape, the 
reconciliation protocol being adapted to a specific noise 
structure. Nevertheless, the security proof can be eas- 
ily extended to this situation since Alice and Bob can 
always compute the effective value of their shared infor- 
mation J e ff by comparing subsets of their data. Then, 
using I(B;E) < n(H - H G (B\A')) as before, one ob- 
tains A/ min > I eS -I{B;E), 

Finally, we have shown that there is a fundamental 
link between security and "entropic squeezing" : the secu- 
rity is guaranteed (AJ m ; n > 0) if the conditional entropy 
H{B\A) is below the quantum limit H [Eq. Q]. In the 



gaussian case, this simplifies to condition a 2 (B\A) < Nq 
[Eq. where a 2 {B\A) = (SB 2 ) denotes the condi- 

tional variance of B knowing A, as suggested in [lij . 
The latter condition is, however, over-pessimistic if Eve 
uses a non-gaussian attack, since a 2 (B\A) might exceed 
No, destroying the conditional squeezing, while keeping 
H(B\A) low enough to ensure security. If Alice and Bob 
only monitor the covariance matrix K, this attack is 
non-optimal since the worst-case gaussian attack would 
maximize H(B\A) and thereby minimize AI for a given 
<t 2 (B\A). In conclusion, the security can be warranted by 
requiring conditional squeezing, which is more stringent 
than entropic squeezing but much easier to assess. 
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